1. Field of the Invention
The present invention relates to an apparatus and method for ciphering/deciphering a signal in a communication system.
2. Description of the Related Art
Extensive research is being conducted into the next generation communication systems for providing users with services based on various qualities of service (QoSs) at a high transmission rate.
A wireless local area network (LAN) communication system and a wireless metropolitan area network (MAN) communication system support a high transmission rate. The wireless MAN communication system serves as a broadband wireless access (BWA) communication system, and supports a wider service area and a higher transmission rate than the wireless LAN communication system. In the next generation communication system, extensive research is being conducted to develop a new communication system capable of ensuring the mobility and QoS for subscriber stations (SSs) in the wireless LAN and MAN communication systems for ensuring a relatively high transmission rate such that high-speed services provided by the next generation communication system can be supported.
A system for exploiting orthogonal frequency division multiplexing (OFDM) and orthogonal frequency division multiple access (OFDMA) schemes for supporting a broadband transmission network in a physical channel of the wireless MAN communication system is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.16 communication standard, referred to herein as the IEEE 802.16 communication system. Because the IEEE 802.16 communication system exploits the OFDM/OFDMA scheme in the wireless MAN communication system, a physical channel signal can be transmitted through a plurality of subcarriers and therefore high-speed data can be transmitted. For convenience of explanation, the IEEE 802.16 communication system will be described by way of an example of the BWA communication system.
As described above, extensive research is being conducted to provide high-speed data transmission in the IEEE 802.16 communication system, and more particularly to provide multicast and broadcast service (MBS) that can provide a plurality of SSs with an identical service while minimizing resources. MBS providers need to consider user authentication and accounting. To perform the user authentication and accounting for an SS receiving MBS data, a point in time when the SS starts to receive the MBS data and a point in time when the MBS data reception is stopped must be correctly detected. For this, a transmitter (e.g., a base station (BS)) for transmitting the MBS data ciphers MBS data such that the MBS data can be received in only receivers (e.g., SSs) to which service fees can be charged. When receiving the MBS data, the SSs must decipher the ciphered MBS data. The BS must send deciphering information to the SSs such that they receive and decipher the MBS data ciphered by the BS.
An ciphering/deciphering operation in an Advanced Encryption Standard (AES)-Counter mode (CTR) for defining ciphering and deciphering schemes used in the IEEE 802.16 communication system will be described with reference to FIGS. 1 and 2.
FIG. 1 illustrates an MBS payload format used in the conventional IEEE 802.16 communication system.
Referring to FIG. 1, an MBS payload includes a generic medium access control (MAC) header (GMH) field 111, a NONCE field 113, and an MBS stream field 115, and a cyclic redundancy check (CRC) field 117.
The GMH header field 111 includes a GMH header serving as a MAC header with a preset length. The NONCE field 113 includes a nonce used to generate an initial counter value of a counter in the AES-CTR mode. The MBS stream field 115 includes an MBS stream. The CRC field 117 includes a CRC value for checking an error of the MBS payload. The MBS stream included in the MBS stream field 115 is generated from ciphered MBS data. It is preferred that a nonce size is identical with a size of MBS data before ciphering. However, the nonce size does not need to be identical with the size of MBS data before ciphering. In the IEEE 802.16 communication system, the nonce size is set to 32 bits.
FIG. 2 is a block diagram illustrating the structure of the AES-CTR ciphering apparatus used in the AES-CTR mode of the conventional IEEE 802.16 communication system.
Referring to FIG. 2, the AES-CTR ciphering apparatus includes an AES-CTR ciphering unit 200 and an initial counter value generator 211. The AES-CTR ciphering unit 200 includes a counter 213, n cipher block generators, i.e., the first to n-th cipher block generators 215-1 to 215-n, and n exclusive OR (XOR) logical operators, i.e., the first to n-th XOR logical operators 217-1 to 217-n. 
MBS data to be transmitted, a nonce, and an MBS traffic key (MTK) are input to the AES-CTR ciphering unit 200 when the MBS data to be transmitted is generated. The MBS data is fragmented into n plain texts, i.e., the first to n-th plain texts. Each of the n plain texts is input to an associated XOR logical operator. That is, the first plain text is input to the first XOR logical operator 217-1. In this manner, the n-th plain text is input to the n-th XOR logical operator 217-n. The nonce is set to a 32-bit random number in the current IEEE 802.16 communication system. The 32-bit nonce is input to the initial counter value generator 211. The MTK is input to the first to n-th cipher block generators 215-1 to 215-n. 
The initial counter value generator 211 receives the nonce and generates a 128-bit initial counter value by repeating the received nonce a preset number of times, for example, four times. Then, the initial counter value generator 211 outputs the generated initial counter value to the counter 213. The counter 213 receives the initial counter value from the initial counter value generator 211 and increments the initial counter value by one, n number of times, thereby generating n counter values. The counter 213 outputs each of the n counter values to an associated cipher block generator. That is, the counter 213 outputs to the first cipher block generator 215-1 the first counter value generated by incrementing the initial counter value by one. The counter 213 outputs to the second cipher block generator 215-2 the second counter value generated by incrementing the initial counter value by two. In this manner, the counter 213 outputs to the n-th cipher block generator 215-n the n-th counter value generated by incrementing the initial counter value by n.
Each of the n cipher block generators receives the MTK and a counter value output from the counter 213, generates a cipher block, and outputs the generated cipher block to an associated XOR logical operator. That is, the first cipher block generator 215-1 generates the first cipher block using the MTK and the first counter value output from the counter 213, and then outputs the generated cipher block to the first XOR logical operator 217-1. In this manner, the n-th cipher block generator 215-n generates the n-th cipher block using the MTK and the n-th counter value output from the counter 213, and then outputs the generated cipher block to the n-th XOR logical operator 217-n. 
Each of the n XOR logical operators receives an associated plain text and a cipher block output from an associated cipher block generator, performs the XOR logical operation on the plain text and the cipher block, and generates and outputs an MBS stream. That is, the first XOR logical operator 217-1 receives the first plain text and the first cipher block output from the first cipher block generator 215-1, performs an XOR logical operation on the first plain text and the first cipher block, and generates and outputs the first MBS stream. In this manner, the n-th XOR logical operator 217-n receives the n-th plain text and the n-th cipher block output from the n-th cipher block generator 215-n, performs an XOR logical operation on the n-th plain text and the n-th cipher block, and generates and outputs the n-th MBS stream.
Because the AES-CTR ciphering unit uses an identical MTK as described above, more stable ciphering t can be performed by changing the initial counter value of the counter during a time interval using the identical MTK. Because the current IEEE 802.16 communication system generates a nonce in the form of a random number, an initial counter value of a previous time interval, before an MTK is refreshed, may be reused in a subsequent time interval. In this case, the stability of an ciphering operation may not be ensured. It is very important that a repeat of an initial counter value or a collision between initial counter values is avoided. Because there is the danger of hacking when an initial counter value is identical in a time interval using an identical MTK, the initial counter value must not be repeated in the time interval using the identical MTK.
It is very important that not only encryption is stable, but also an amount of data to be additionally transmitted for ciphering and deciphering is minimized when the overall performance of a system is considered. However, data transmission capacity is lowered due to a nonce because a 32-bit nonce must be transmitted in every MBS stream as in the current IEEE 802.16 communication system.